[Soot-list] FlowDroid: Difference between notifyFlowIn and notifyFlowOut in TaintPropagationHandler interface

Steven Arzt Steven.Arzt at cased.de
Mon Oct 19 22:52:39 EDT 2015 

Hi Katie,

 

Yes, that’s right.

 

Best regards,

  Steven

 

Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von kaunder
Gesendet: Montag, 19. Oktober 2015 19:37
An: soot-list at CS.McGill.CA
Betreff: Re: [Soot-list] FlowDroid: Difference between notifyFlowIn and notifyFlowOut in TaintPropagationHandler interface

 

Hi Steven, thank you for the reply! Could I please clarify that I understand what you've described?

 

Based on your response, am I correct that for each propagation of an Abstraction over a statement, the TaintPropagationHandler is invoked twice? Is it the case that:

-The notifyFlowIn method is invoked before the taint analysis engine begins it's analysis

-The notifyFlowOut method is invoked after the taint analysis engine has completed it's work, and in the case of an Abstraction just being passed on, the outgoing set will contain exactly the input Abstraction

 

Thank you again,

 

Katie

 

On 18 October 2015 at 07:17, Steven Arzt <Steven.Arzt at cased.de> wrote:

Hi Katie,

 

This is indeed a misunderstanding about the TaintPropagationHandler (or a result of a misleading JavaDoc comment). FlowDroid uses point-wise propagation. It takes an incoming flow abstraction and a statement to propagate the abstraction over the statement. A single incoming abstraction gets converted into a (possibly empty) set of outgoing abstractions. This is exactly what the TaintPropagationHandler models. Before the taint analysis engine looks at the incoming abstraction, it notifies the handler about it. Then, the engine code runs. With whatever comes out of this single propagation step, the handler is called once again and gets the chance to inspect and change the result set. If the engine just passes on a taint because the current statement has nothing to do with the taint at hand, the outgoing set will contain exactly the incoming object (Java object identity). That’s perfectly ok.

 

Best regards,

  Steven

 

Von: soot-list-bounces at CS.McGill.CA [mailto:soot-list-bounces at CS.McGill.CA] Im Auftrag von kaunder
Gesendet: Freitag, 16. Oktober 2015 23:33
An: soot-list at cs.mcgill.ca
Betreff: [Soot-list] FlowDroid: Difference between notifyFlowIn and notifyFlowOut in TaintPropagationHandler interface

 

Hi,

 

I'm implementing the TaintPropagationHandler interface in order to capture data about the Abstraction objects propagated during FlowDroid's analysis.

 

I am confused about the difference between the notifyFlowIn method and the notifyFlowOut method. In the documentation, it states that notifyFlowIn is invoked when a taint is propagated in the data flow engine, and that notifyFlowOut is invoked when a new taint is generated in the data flow engine. From this, I assume that if an existing taint is being propagated, but no new taint is being generated, only notifyFlowOut would be invoked. 

 

In my handler, I override notifyFlowIn and notifyFlowOut to dump some information about the current abstraction to a file when they are invoked. When I examine this output, it looks like notifyFlowOut is sometimes invoked even though no new taint is generated. For example:

 

<Excerpt from my output file>
Generated by Handler: notifyFlowOut
Flow function type: NormalFlowFunction
***Incoming Abstraction Data***
Incoming AccessPath value: $i0
Incoming Source Context: $i0(int) * <+length> in $i0 := @parameter0: int
Incoming Abstraction hash: -210156627
Incoming AccessPath Hash: 1889033344
***Outgoing Abstraction Set Data - iterate over all elements of the set***
Outgoing set 0:
Outgoing Abstraction Access Path: $i0
Outgoing Abstraction Source Context: $i0(int) * <+length> in $i0 := @parameter0: int
Outgoing Abstraction Hash:-210156627
Outgoing AccessPath Hash:1889033344

 

In this example, it looks like the incoming and outgoing Abstractions are one and the same. I'm confused about this, because my understanding was that notifyFlowOut only gets invoked when a NEW taint is generated, and here it looks like an existing taint is being propagated. Am I confused about the nature of notifyFlowOut, or what the hash code of the Abstraction represents, or both?

 

I am extracting the Abstraction hash in the following way:

int myHash = incoming.hashCode();

where incoming is the Abstraction object passed into notifyFlowOut.

 

Thanks for any clarification you can provide,

 

Katie

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.CS.McGill.CA/pipermail/soot-list/attachments/20151020/de3f832b/attachment-0001.html

More information about the Soot-list mailing list